Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

feat: use knative.dev/pkg/tls for activator TLS configuration#16424

Merged
knative-prow[bot] merged 1 commit intoknative:mainknative/serving:mainfrom
Fedosin:activator-tlsFedosin/serving:activator-tlsCopy head branch name to clipboard
Mar 8, 2026
Merged

feat: use knative.dev/pkg/tls for activator TLS configuration#16424
knative-prow[bot] merged 1 commit intoknative:mainknative/serving:mainfrom
Fedosin:activator-tlsFedosin/serving:activator-tlsCopy head branch name to clipboard

Conversation

@Fedosin
Copy link
Copy Markdown
Contributor

@Fedosin Fedosin commented Mar 3, 2026

Proposed Changes

Replace the hardcoded tls.VersionTLS13 in the activator's HTTPS server with the shared knative.dev/pkg/tls package, allowing TLS settings to be configured via ACTIVATOR_TLS_MIN_VERSION, ACTIVATOR_TLS_MAX_VERSION, ACTIVATOR_TLS_CIPHER_SUITES, and ACTIVATOR_TLS_CURVE_PREFERENCES environment variables. The default remains TLS 1.3 when no env var is set.

knative/pkg patch: knative/pkg#3324

Release Note

The activator now reads TLS settings from environment variables (ACTIVATOR_TLS_MIN_VERSION, ACTIVATOR_TLS_MAX_VERSION, ACTIVATOR_TLS_CIPHER_SUITES, ACTIVATOR_TLS_CURVE_PREFERENCES) via the shared knative.dev/pkg/tls package instead of hardcoding TLS 1.3.

@knative-prow knative-prow Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 3, 2026
@knative-prow knative-prow Bot requested review from dsimansk and skonto March 3, 2026 10:07
@knative-prow knative-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 3, 2026
@linkvt
Copy link
Copy Markdown
Member

linkvt commented Mar 3, 2026

Looks good!

/lgtm

@knative-prow knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 3, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.27%. Comparing base (42495d4) to head (658eb45).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #16424      +/-   ##
==========================================
+ Coverage   80.21%   80.27%   +0.05%     
==========================================
  Files         217      217              
  Lines       13511    13511              
==========================================
+ Hits        10838    10846       +8     
+ Misses       2307     2301       -6     
+ Partials      366      364       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@knative-prow knative-prow Bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 3, 2026
linkvt
linkvt reviewed Mar 3, 2026
View reviewed changes
Comment thread cmd/activator/main.go Outdated
twoGiants
twoGiants reviewed Mar 3, 2026
View reviewed changes
Comment thread cmd/activator/main.go Outdated
twoGiants
twoGiants reviewed Mar 3, 2026
View reviewed changes
Comment thread cmd/activator/tls_config_test.go Outdated
twoGiants
twoGiants approved these changes Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown

@twoGiants twoGiants left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Left a few comments, but nothing major and probably can be merged anyway. Wdys?

@knative-prow knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 3, 2026
@twoGiants
Copy link
Copy Markdown

twoGiants commented Mar 3, 2026

/hold for the comment review

Unhold when you want to merge @Fedosin

@knative-prow knative-prow Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 3, 2026
@knative-prow knative-prow Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 3, 2026
twoGiants
twoGiants approved these changes Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown

@twoGiants twoGiants left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@knative-prow knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 3, 2026
@twoGiants
Copy link
Copy Markdown

twoGiants commented Mar 3, 2026

/unhold

@knative-prow knative-prow Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 3, 2026
@twoGiants twoGiants mentioned this pull request Mar 4, 2026
Merged
@Fedosin
Copy link
Copy Markdown
Contributor Author

Fedosin commented Mar 4, 2026

/hold

@knative-prow knative-prow Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 4, 2026
@knative-prow knative-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 4, 2026
@knative-prow knative-prow Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 5, 2026
@Fedosin
Copy link
Copy Markdown
Contributor Author

Fedosin commented Mar 5, 2026

/hold cancel

@knative-prow knative-prow Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 5, 2026
linkvt
linkvt reviewed Mar 5, 2026
View reviewed changes
Comment thread cmd/activator/tls_config_test.go Outdated
@Fedosin
feat: use knative.dev/pkg/tls for activator TLS configuration
658eb45 
Replace the hardcoded tls.VersionTLS13 in the activator's HTTPS server
with the shared knative.dev/pkg/tls package, allowing TLS settings to be
configured via ACTIVATOR_TLS_MIN_VERSION, ACTIVATOR_TLS_MAX_VERSION,
ACTIVATOR_TLS_CIPHER_SUITES, and ACTIVATOR_TLS_CURVE_PREFERENCES
environment variables. The default remains TLS 1.3 when no env var is set.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
@knative-prow knative-prow Bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 5, 2026
@linkvt
Copy link
Copy Markdown
Member

linkvt commented Mar 5, 2026

/lgtm

@knative-prow knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2026
twoGiants
twoGiants approved these changes Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown

@twoGiants twoGiants left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@linkvt
Copy link
Copy Markdown
Member

linkvt commented Mar 5, 2026

/retest

@dprotaso
Copy link
Copy Markdown
Member

dprotaso commented Mar 8, 2026

/approve
/lgtm

@knative-prow
Copy link
Copy Markdown

knative-prow Bot commented Mar 8, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, Fedosin, twoGiants

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 8, 2026
@knative-prow knative-prow Bot merged commit ab8ae55 into knative:main Mar 8, 2026
71 checks passed
Fedosin added a commit to Fedosin/serving that referenced this pull request Mar 20, 2026
@Fedosin
[release-1.21] feat: use knative.dev/pkg/network/tls for configurable…
8f67147 
… TLS

Backport of the following PRs from main to release-1.21:
- knative#16424 feat: use knative.dev/pkg/tls for activator TLS configuration
- knative#16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration
- knative#16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration
- knative#16458 Update TLS import path to knative.dev/pkg/network/tls

Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and
tag-to-digest resolver with the shared knative.dev/pkg/network/tls
package, allowing TLS settings (min/max version, cipher suites, curve
preferences) to be configured via environment variables:
  - ACTIVATOR_TLS_*
  - QUEUE_PROXY_TLS_*
  - TAG_TO_DIGEST_TLS_*

Add four new keys to the config-deployment ConfigMap
(queue-sidecar-tls-min-version, queue-sidecar-tls-max-version,
queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences)
and forward them as QUEUE_PROXY_TLS_* environment variables in
makeQueueContainer.

The default remains TLS 1.3 when no env var is set. The tag-to-digest
resolver default is bumped from TLS 1.2 to TLS 1.3.

knative/pkg dependency: knative/pkg#3337

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
@Fedosin Fedosin mentioned this pull request Mar 20, 2026
Merged
knative-prow Bot pushed a commit that referenced this pull request Mar 20, 2026
@Fedosin
[release-1.21] feat: use knative.dev/pkg/network/tls for configurable…
4d92745 
… TLS (#16482)

Backport of the following PRs from main to release-1.21:
- #16424 feat: use knative.dev/pkg/tls for activator TLS configuration
- #16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration
- #16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration
- #16458 Update TLS import path to knative.dev/pkg/network/tls

Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and
tag-to-digest resolver with the shared knative.dev/pkg/network/tls
package, allowing TLS settings (min/max version, cipher suites, curve
preferences) to be configured via environment variables:
  - ACTIVATOR_TLS_*
  - QUEUE_PROXY_TLS_*
  - TAG_TO_DIGEST_TLS_*

Add four new keys to the config-deployment ConfigMap
(queue-sidecar-tls-min-version, queue-sidecar-tls-max-version,
queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences)
and forward them as QUEUE_PROXY_TLS_* environment variables in
makeQueueContainer.

The default remains TLS 1.3 when no env var is set. The tag-to-digest
resolver default is bumped from TLS 1.2 to TLS 1.3.

knative/pkg dependency: knative/pkg#3337

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsimansk dsimansk Awaiting requested review from dsimansk

@skonto skonto Awaiting requested review from skonto

2 more reviewers

@linkvt linkvt linkvt left review comments

@twoGiants twoGiants twoGiants approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dprotaso dprotaso

@twoGiants twoGiants

@linkvt linkvt

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Fedosin @linkvt @twoGiants @dprotaso
Morty Proxy This is a proxified and sanitized view of the page, visit original site.